← Back to Security Advisories Overview
Informational
CVE(s)
CVE-2023-0286
Updated:
Product(s)
Cloud Optix
Intercept X Endpoint
Intercept X for Server
Sophos Central
Sophos Connect Client 2.0
Sophos Email
Sophos Email Appliance (SEA)
Sophos Enterprise Console (SEC)
Sophos Firewall
Sophos Home
Sophos Mobile
Sophos Mobile EAS Proxy
Sophos RED
Sophos UTM
Sophos Web Appliance (SWA)
Sophos Wireless
SophosLabs Intelix
Publication ID:
sophos-sa-20230214-openssl-vuln
Article Version:
2
First Published:
Workaround:
No
Overview
On Tuesday February 7, 2023, the OpenSSL Project Team announced that several versions of OpenSSL contain fixes for vulnerabilities, including one high severity one.
OpenSSL is a ubiquitous cryptography library used in many operating systems and applications.
Patches for OpenSSL
The fixes are included in the following releases:
- https://www.openssl.org/source/openssl-3.0.8.tar.gz
- https://www.openssl.org/source/openssl-1.1.1t.tar.gz
- OpenSSL 1.0.2zg (premium support customers only)
What Sophos products are affected?
Sophos is reviewing and patching all affected applications and services as part of its incident response process.
Note: as this is an ongoing investigation product status will change as more information becomes available.
| Product or Service | CVE-2023-0286 Status | Description |
| Cloud Optix | Not affected | Component not present |
| PureMessage | Not affected | Vulnerable code not in execute path |
| SG UTM (all versions) | Not affected | Vulnerable code cannot be controlled by adversary |
| Sophos Endpoint protection (Windows/Mac/Linux) | Not affected | Vulnerable code not in execute path |
| Sophos Endpoint Protection - Legacy (Linux/SVE) | Not affected | Vulnerable code not in execute path |
| Sophos Enterprise Console (SEC) | Not affected | Vulnerable code not in execute path |
| Sophos Firewall (all versions) | Not affected | Vulnerable code cannot be controlled by adversary |
| Sophos Central | Not affected | Vulnerable code not in execute path |
| Sophos Connect client | Not affected | Vulnerable code not in execute path |
| Sophos Email | Not affected | Vulnerable code not in execute path |
| Sophos Email Appliance | Not affected | Vulnerable code not in execute path |
| Sophos Home | Not affected | Vulnerable code not in execute path |
| Sophos RED | Not affected | Vulnerable code not in execute path |
| Sophos Wireless | Not affected | Vulnerable code not in execute path |
| Sophos Web Appliance | Not affected | Vulnerable code not in execute path |
| Sophos SASI (AntiSpam) | Not affected | Vulnerable code not in execute path |
| Sophos Mobile | Not affected | Vulnerable code not in execute path |
| Sophos Mobile EAS Proxy | Not affected | Vulnerable code not in execute path |
| SophosLabs Intelix | Not affected | Vulnerable code not in execute path |
Sophos product protections
Sophos is actively monitoring for threat activity and detection opportunities relating to this vulnerability.
Related Information
- https://www.openssl.org/news/secadv/20230207.txt
- https://www.openssl.org/policies/general/security-policy.html
- https://nakedsecurity.sophos.com/2023/02/08/openssl-fixes-high-severity-data-stealing-bug-patch-now/
- https://nakedsecurity.sophos.com/2023/02/09/s3-ep121-can-you-get-hacked-and-then-prosecuted-for-it-audio-text/
Change Log
- February 14, 2023: Initial version
- February 20, 2023:
- Added: Sophos Endpoint Protection - Legacy (Linux/SVE), Sophos Central, Sophos Email, Sophos Email Appliance
- Updated: Sophos Endpoint protection (Windows/Mac/Linux)